Effective Compliance with IEC 61508 When Selecting Solenoid Valves for Safety Systems

A White Paper From ASCO Valve, Inc.

Effective Compliance with IEC 61508 WhenSelecting Solenoid Valvesfor Safety Systemsby David Park and George Wahlers

IntroductionRegulatory modifications in 2010 have raised important issues in design and use of indus-trial safety systems. Certain changes in IEC 61508, now being widely implemented, meanthat designers and users who desire full compliance must give new consideration to topics such as SIL levels and the transition from 1H to 2H methodologies.

In particular, these issues can impact users’ selection of solenoid valves and prepack-aged redundant control systems (RCS) for implementation in a safety instrumented system (SIS). Such selections may also be affected by how experienced valve suppliersare at dealing with complex new compliance methodologies.

These issues are especially applicable to the oil, gas, chemical, and power industries —in applications such as safety shutdown systems, boilers, furnaces, high-integrity protec-tion systems (HIPS), and more. They’re of concern to safety engineers and reliabilityengineers, as well as to process engineers, engineering executives, and plant managers.

This report will address these issues in developing a compliant SIS using valves andRCSs. Making the right choices in safety system planning and in valve supplier selectioncan affect design time, costs, and effort — as well as the safety of the plant itself.

Safety in processEvery industrial plant must be concerned with risks to its safety, and to the mitigation ofthose risks. Safety of process components continues to be of critical importance in lightof periodic industrial disasters such as Buncefield, Deepwater Horizon, and theNovember 2013 oil pipeline explosion in Qingdao, China.

Such events naturally draw media attention, and often increase regulatory pressures onall operations. In plants that actually suffer these or even lesser safety incidents, conse-quences can include the trouble and costs of process downtime — as well as the para-

2

mount considerations of harm to employees, the community, and the environment. Thusplanners at all industrial process operations must avoid complacency on safety issues.

Certified solenoid valves properly used in SISs are important elements of any corporaterisk mitigation strategy.

Evolving standardsIEC 61508, titled “Functional Safety of Electrical/Electronic/Programmable ElectronicSafety-Related Systems,” is the accepted international standard that guides selection ofcomponents for industrial safety systems. Its latest revision, explained below, was issuedin 2010.

However, certain provisions of this standard — especially Route 2H, — are only nowbecoming widely implemented. In fact, engineering groups at numerous process manu-facturers are currently wrestling with complexities arising from these issues as theyevolve fresh approaches to adjust to the new standard.

Note that the technicalities may be daunting, as this report itself demonstrates. Anextensive selection of specialized concepts and terms are introduced here (plus theiraccompanying initialisms, from SIS, SIL, and SIF to PFDavg, FMEDA, and FIT). All ofthese are used in determining correct compliance. Their number and scope give someindication of the difficulties facing professionals who may not be well versed in this area of safety practice.

Thus many designers and safety engineers tackling these changes find it helpful to con-sult a knowledgeable solenoid valve supplier. They report that their supplier’s experts canhelp deliver welcome savings in schedules and cost. This allows engineers to devotemore attention to other critical parts of the project.

Evaluating solenoid valve redundancy and SIL The safety engineer faces numerous challenges in designing an efficient SIS for a givenplant process. He or she must decide what technology should be selected, what level ofrisk reduction must be achieved, what architecture is appropriate for the given controlsystem components, and what testing is required to reach the system’s desired safetyintegrity level (SIL). System development includes how frequently diagnostic test are performed both manually and automatically and is important because frequent testingmay mean system downtime.

3

In particular, when selecting crucial technology such as solenoid valves, the engineermust begin by considering three factors:

1. Architectural constraints dictate the required level of redundancy needed to achieve adesired SIL level for a given safety instrumented function (SIF). This redundancy isreferred to as the hardware fault tolerance (HFT).

2. A solenoid valve’s average probability of failure on demand (PFDavg) determines thedevice’s contribution to the SIF’s overall PFDavg when used with other devices, not itsSIL-capability as a stand-alone device.

3. Does the device possess IEC 61508 certification? Certification indicates that its manu-facturer’s design, manufacturing, and quality procedures satisfy this IEC standard’srequirements for the device’s listed SIL capability.

Once the SIF is designed, SIL verification calculations determine if it will provide thedesired risk reduction. For example, the safety engineer may use the following simplifiedformula on a single-channel, one out of one (1oo1) SIF with proof test coverage to deter-mine if the PFDavg meets the desired SIL level:

Consideration of certification is the next step. Devices such as solenoid valves are cate-gorized as type A devices — “non-complex” mechanisms that possess discrete elementsaccording to IEC 61508 (2010).

Certification begins with a failure mode effect and diagnostics analysis (FMEDA). Thisanalysis determines the failures in time (FIT) rates “λ” for different types of failures: safedetected, safe undetected, dangerous detected, and dangerous undetected. Once theserates are established, the safe failure fraction (SFF) and PFDavg can be calculated:

4

PFDAVG–1oo1 = CPT * λDU * TI + (λDD * MTTR) + (1 – CPT * λDU * LT

PFDAVG–1oo1 = Average Probability of Failure on DemandλDU = Dangerous Undetected failure rateλDD = Dangerous Detected failure rateTI = Proof Test IntervalMTTR = Mean Time To RestoreCPT = Manual Proof Test Coverage = λDD / (λDD + λDU)LT = Lifetime of the system

2 2

5

IEC 61508 allows two routes to determine a solenoid valve’s SIL capability. The traditionalRoute 1H uses FIT rates to calculate a safe failure fraction (SFF) for the given valve. TheSFF can then be used to determine the HFT, which in turn can establish the level ofredundancies required in using this valve, and can show what SIL level the safety func-tion utilizing this valve would attain.

As part of an effort to reduce ambiguity in failure type definitions, for its 2010 release IEC61508 altered the SFF formula used in Route 1H. Briefly, “no effect” failures are no longera component of safe failures.

This change usually produces a lower SFF in the formula above. If the SFF values dropbelow certain thresholds as shown in the table below, a higher HFT than before isrequired to achieve desired SIL levels. For example, a valve with an SFF of 75% would beSIL 3 capable with an HFT of 1. But if the SFF dropped below 60%, the valve would onlybe SIL 2 capable with that same HFT of 1.

SFF = λSD + λSU + λDD

Failure rate typesλSD = Safe Detected failure rateλSU = Safe Undetected failure rateλDD = Dangerous Detected failure rateλDU = Dangerous Undetected failure rate

λSD + λSU + λDD + λDU

Type A Subsystem

Safe Failure Fraction (SFF) Hardware Fault Tolerance (HFT)

0 1 2

< 60% SIL 1 SIL 2 SIL 3

60% to < 90% SIL 2 SIL 3 SIL 4

90% to < 90% SIL 3 SIL 4 SIL 4

≥ 99% SIL 3 SIL 4 SIL 4

Note: An HFT of N means that N+1 faults could cause a loss of the safety function.

6

Evaluating Routes 1H and 2H

Another major change in the 2010 release of IEC 61508 was the introduction of Route 2H.This began the process whereby some certifying agencies are phasing out Route 1Happroaches for evaluation of final elements (solenoid valves, actuators, ball valves, etc.).

As with Route 1H, failure rates (λ) are first determined via lab testing or FMEDA calcula-tion. But instead of SFF and HFT, Route 2H uses the failure rates to determine PFDavg andHFT for SIL capability.

And perhaps most importantly, Route 2H affirms the failure rates with historical informa-tion — actual customer field return data on component reliability. In fact, Route 2H canonly be applied if there is sufficient field data to support the failure rates used in thePFDavg calculations and that a valve is proven in use. If so, this data can be used todetermine SIL levels.

How is that historical data obtained? It’s most often available when dealing with a supplierwho has received validation from leading independent global safety certification sources,such as Exida or TÜV. Failure rates for numerous ASCO parts and components are sup-ported by data collected by Exida arising from literally billions of hours of operation.

The paramount advantage of using Route 2H: its higher confidence level. This refers tothe statistical probability that the actual failure rate — λactual — will fall between the limits λ5% and λ95% (which are at the higher and lower edges of a bell curve, respec-tively). While Route 1H usually exhibits only 70% confidence, Route 2H typically achieves90% — promising a 90% certainty that the predicted failures will occur as expected. Thishigher confidence is possible due to the support of calculated failure rates by actual fieldreturn data, and the ability to take more uncertainties into account.

Note that Route 1H will still be used for electronic or other complex devices, program-mable systems, and other devices incorporating diagnostics. Route 2H is applied to simple or mechanical products such as valves and other final elements.

Nevertheless, industry-wide acceptance of the Route 2H method has been growingsteadily since it was first implemented. Agencies such as exida use the Route 2Happroach for both new and renewed certifications. Some customers have been under-standably hesitant to adopt it because of existing investments in their systems usingRoute 1H. Fortunately, changing from the 1H to the 2H approach makes little or no differ-ence in certification. We recommend that users become familiar with Route 2H andunderstand its significance.

7

Evaluating suppliersFor the safest system design, selecting the right solenoid valve supplier may be as impor-tant as any of the technical choices discussed above.

Solenoid valves are too critical to be purchased as mere commodities; avoid vendorswho emphasize the lowest price alone. Look instead for a supplier that’s deeply involvedin safety issues, understands what’s involved in setting up a safety system, and has com-prehensive resources to provide technical support.

Safety certification of valve components can involve considerable complexities for thesupplier. Gravitate toward suppliers who have taken the trouble to obtain such certifica-tion — and who are validated by independent sources. ASCO possesses the world’swidest variety of SIL-certified pilot valve solutions. Many of these products have certifi-cations from both Exida and TÜV international agencies.

Ask the right questions. When you’re evaluating products for an SIS, does a given suppli-er furnish your required level of local/international service/support? Does it provide acomprehensive selection, so you can find precisely the products you need?

ConclusionSafety is a critical requirement for most if not all industrial plants. It’s vital that users keepup with new developments in regulation and technology within this fast-changing field.This is particularly true of the ability to make informed decisions on issues such as com-pliance with IEC 61508, consideration of SIL levels, transition from 1H to 2H, and selectingsolenoid valves.

An experienced solenoid valve supplier that’s knowledgeable about these issues canserve as a valuable resource for advice and information. Users who stay informed canensure compliance and improve savings and process safety.

Takeaways

• IEC 61508 has new methods to determine SIL-capability for valves usedin safety systems.

• Designers and users must consider valve redundancy, SIL levels, andtransition from 1H to 2H certification methodologies

• A valve supplier concerned with and experienced in compliance topicscan remove much of the burden of these issues in safety system design

• Making correct choices can affect design time, costs, and effort, aswell as overall plant safety

1331036

Global Contacts www.ascovalve.com

Regional Headquarters

Global Headquarters

Manufacturing & Key Offices

Other Worldwide LocationsAustralia (61) 2-9-451-7077Brazil (55) 11-4208-1700Canada (1) 519-758-2700China (86) 21-3395-0000Czech Republic (420) 235-090-061Dubai - UAE (971) 4-811-8200France (33) 1-47-14-32-00Germany (49) 7237-9960India (91) 44-39197300

Italy (39) 02-356931Japan (81) 798-65-6361Mexico (52) 55-5809-5640Netherlands (31) 33-277-7911Singapore (65) 6556-1100South Korea (82) 2-3483-1570Spain (34) 942-87-6100Turkey (90) 216-577-3107United Kingdom (44) 1695-713600

ASCO Headquarters (U.S.A.)Tel: 800-972-ASCO (2726) or+1 [email protected]

The ASCO logo is a trademark of Automatic Switch Co. The Emerson logo is a trademark and service mark of Emerson Electric Co. All other trademarks are the properties of their respective owners.© 2014 ASCO Valve, Inc. All rights reserved.Printed in the U.S.A.

4